Data Breaches: 10 Common Mistakes That Put Enterprises at Risk

Data Breaches: 10 Common Mistakes That Put Enterprises at Risk

By Chris Preimesberger

No Engagement With Outside Counsel

Enlisting an outside attorney is highly recommended. No single federal law or regulation governs the security of all types of sensitive personal information. As a result, determining which federal law, regulation or guidance is applicable depends, in part, on the entity or sector that collected the information and the type of information collected and regulated. Unless internal resources are knowledgeable with all current laws and legislation, it is best to engage legal counsel with expertise in data breaches to help navigate through these challenging landscapes.

No External Agencies Secured

All external partners should be in place prior to a data breach so they can be immediately called upon when a breach occurs. The process of selecting the right partner can take time, because there are different levels of service and various solutions to consider. Plus, it is important to think about the integrity and security standards of a partner before aligning the company brand with it. Not having a forensic expert or resolution agency already identified will delay the data breach response process.

No Single Decision-Maker

While there are several parties within an organization that should be on the data breach response team, every team needs a leader. Determine who will be the driver of the response plan and primary contact to all external partners. Also, outline a structure of internal reporting to ensure that executives and everyone else on the response team is up-to-date and on track during a data breach.

Lack of Clear Communication

Internal miscommunication can be the main cause of a mishandled data breach, because it adds confusion and delays in the resolution process. Ensure that there is one clear leader, and once the incident response team is in play, provide internal stakeholders as well as outside partners with ongoing updates on the resolution progress.

Waiting for Perfect Information Before Acting

Managing a data breach often requires operating with incomplete or evolving information about the specifics of the incident, due to new information learned by security forensics investigations. Companies need to begin the process of managing a breach once an intrusion is confirmed and be flexible with the road map. Waiting for perfect information could ultimately lead to condensed timeframes that make it difficult to meet the many legal and regulatory requirements.

Micromanaging the Breach

Data breach resolution often requires the support and involvement of multiple departments and teams because the incident response can intersect with areas such as IT, human resources, legal, and public relations, among others. Often, companies fail when micromanaging occurs by one leader. Trust your incident response team, outside counsel and breach resolution consultants, and hold them responsible for executing the incident response plan.

No Communications Plan

Media scrutiny of data breaches and security incidents is at an all-time high, and negative stories can lead to a significant loss of reputation. In the event of a breach, companies should have a well-documented and tested communications plan that includes draft statements and other materials that can be activated quickly. Failure to integrate communications into overall planning typically means delayed responses to media and likely more critical coverage.

No Post-Incident Remediation Plans

Companies should consider and plan how to engage with customers and other audiences once the breach is resolved and put additional measures in place to prevent future incidents. If an organization makes additional investments in processes, people and technology to more effectively secure data, finding ways to share those efforts with stakeholders can help rebuild reputation and trust. Yet, many fail to take advantage of this long-term need once the initial shock of the incident is over.

Not Providing a Remedy to Consumers

Companies should put customers at the center of decision-making following a breach. This focus means providing some sort of remedy, including call centers, where consumers can voice their concerns, or credit monitoring if financial, health or other highly sensitive information is lost. Even in incidents that involve less sensitive information, companies should consider other actions or guidance that can be provided to consumers to protect them.

Practice, Practice, Practice

Above all, a plan needs to be practiced with the full team. An incident-response plan is a course of action that needs to be continually updated and revised. By conducting practice exercises on a regular basis, teams can work out any hiccups before it's too late.

It's hardly uncommon anymore to see a headline in the news about a company falling victim to hackers, suffering a data breach and enduring scrutiny for the loss of customer data. Yet despite increasing awareness of these problems, not all organizations take the necessary steps to prepare for and mitigate the damage of a breach. Astonishingly, a 2013 Experian Data Breach Resolution and Ponemon Institute study finds that nearly 40 percent of companies that experienced a breach said that they had not yet developed a formal preparedness plan, even after the incident. In this eWEEK slideshow, Experian data breach resolution experts have identified 10 common missteps that often put organizations at greater risk for reputational, financial and legal damage following a breach. Many of the guidelines relate to seeking advice from qualified professionals, improving security management methods, improving communications between the parties involved, and mapping out a thorough, well-tested incident response plan.

Chris Preimesberger was named Editor-in-Chief of Features & Analysis at eWEEK in November 2011. Previously he served eWEEK as Senior Writer, covering a range of IT sectors that include data center systems, cloud computing, storage, virtualization, green IT, e-discovery and IT governance. His blog, Storage Station, is considered a go-to information source. Chris won a national Folio Award for magazine writing in November 2011 for a cover story on Salesforce.com and CEO-founder Marc Benioff, and he has served as a judge for the SIIA Codie Awards since 2005. In previous IT journalism, Chris was a founding editor of both IT Manager's Journal and DevX.com and was managing editor of Software Development magazine. His diverse resume also includes: sportswriter for the Los Angeles Daily News, covering NCAA and NBA basketball, television critic for the Palo Alto Times Tribune, and Sports Information Director at Stanford University. He has served as a correspondent for The Associated Press, covering Stanford and NCAA tournament basketball, since 1983. He has covered a number of major events, including the 1984 Democratic National Convention, a Presidential press conference at the White House in 1993, the Emmy Awards (three times), two Rose Bowls, the Fiesta Bowl, several NCAA men's and women's basketball tournaments, a Formula One Grand Prix auto race, a heavyweight boxing championship bout (Ali vs. Spinks, 1978), and the 1985 Super Bowl. A 1975 graduate of Pepperdine University in Malibu, Calif., Chris has won more than a dozen regional and national awards for his work. He and his wife, Rebecca, have four children and reside in Redwood City, Calif.Follow on Twitter: editingwhiz